Another day, another challenge.
In today’s post, we will solve the first challenge of the flAWS CTF.
flAWS CTF explores misconfigurations, and gotchas in AWS.
Let’s get started.
NOTE: I will be using the AWS command line. Which you can download HERE.
Going to the URL, http://flaws.cloud/, we’re presented with:
Scrolling down we see:
From the little bit of information we have this level contains buckets, and we possibly need to view the contents.
In AWS, there is a service called S3 or Simple Storage Service which is used for storing items for the Internet. To store an item you will need to create a bucket (see how everything is starting to come together…). Once the bucket is created, you can add your items to it.
Opening a command prompt we can type the following command
aws s3 ls <s3 domain>
Let’s break down this command.
- We’re using the AWS command line (by typing aws)
- We’re specifying we want to access the s3 service
- We want to list the contents of said bucket (ls = listing)
- We’re specify the s3 domain we want to access
In this case we will type aws s3 ls s3://flaws.cloud
Below is the output:
Hmm… there’s a secret-dd02c7c.html file. Let’s see if we can access it.
Opening a web browser (I’m using Chrome) and entering the following URL: http://flaws.cloud/secret-dd02c7c.html, you should see:
Yay! We have solved the challenge, along with getting the URL for level 2.
Look out for another blog post where we solve that challenge.
Takeaway from the challenge –
For this level the bucket was public which means it’s accessible for EVERYONE. If there’s sensitive information that the world should not see, AWS allows for buckets to be private.